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PCI DATA SECURITY STANDARD 


The PCI Data Security Standard requirements 
apply to all payment card network members, 
merchants and service providers that store, 
process or transmit cardholder data. The core 
requirements are organized in six categories: 


PRINCIPLES AND REQUIREMENTS 


Build and Maintain a Secure Network 
1. Install and maintain a firewall configuration to protect 
cardholder data 
2. Do not use vendor-supplied defaults for system 
passwords and other security parameters 


Protect Cardholder Data 
3. Protect stored cardholder data 
4. Encrypt transmission of cardholder data across open, 
public networks 


Maintain a Vulnerability Management Program 
5. Use and regularly update anti-virus software 
6. Develop and maintain secure systems and applications 


Implement Strong Access Control Measures 
7. Restrict access to cardholder data by business 
need-to-know 
8. Assign a unique ID to each person with computer 
access 
9. Restrict physical access to cardholder data 


Regularly Monitor and Test Networks 
10. Track and monitor all access to network resources 
and cardholder data 
11. Regularly test security systems and processes 


Maintain an Information Security Policy 
12. Maintain a policy that addresses information security 


VALIDATION ENFORCEMENT 


Participating companies can be barred from 
processing credit card transactions, higher 
processing fees can be applied; and in the event 
of a serious security breach, fines of up to 
$500,000 can be levied for each instance of 
non-compliance. 
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How TO VALIDATE COMPLIANCE WITH THE PCI DATA SECURITY STANDARD 


To validate compliance, all merchants and service providers, regardless of credit card transaction volume and acceptance channel must 
fulfill two validation requirements. Some merchants and service providers validate compliance through an Annual On-Site Security Audit 
and Quarterly Network Scan, while others complete an Annual Self-Assessment Questionnaire and Quarterly Network Scan. Compli- 
ance levels for merchants and service providers are defined based on annual transaction volume and corresponding risk exposure: 


MERCHANT & SERVICE PROVIDER LEVELS & VALIDATION ACTIONS 


CRITERIA : ON-SITE : SELF-ASSESSMENT ` NETWORK : VALIDATE 3’RD 
: SECURITY AUDIT : QUESTIONNAIRE : SCAN > PARTY PAYMENT 
: : : APPLICATION 
1 : — Any merchant, regardless of acceptance : Required : : Required © : Required ** 
: channel, processing more than 6 million : Annually * : : Quarterly : 


transactions per year 
— Any merchant that suffered a security 
breach, resulting in an account compromise : 


Any merchant processing between : Required : : Required 
1 to 6 million transactions per : Annually * : : Quarterly 
year : : 


Any merchant processing between : : Required : Required : Required ** 
20,000 to 1 million transactions per i > Annually > Quarterly © ; 
year : : t 
4 : — All other merchants not in Levels 1, 2, : : Required : Required : Required ** 
: or 3, regardless of acceptance channel : > Annually : Quarterly © : 
1: — All processors and all payment : Required ; : Required © £ Required ** 
m gateways : Annually * > Quarterly ; 
a : 
fe) 2 : — Any service provider that is notin Level 1 : Required f : Required © : Required ** 
(a : and stores, processes or transmits > Annually * : : Quarterly : 
a more than 1 million accounts / 
LI transactions annually 
12) TaN ce anak NAAA a PANNAAN: 
> 3 : — Any service provider that is not in Level 1 : : Required : Required © : Required ** 
m : and stores, processes or transmits : : Annually : Quarterly 
oO less than 1 million accounts / : : : 
transactions annually 


* On-Site Security Audits may be conducted through Qualys PCI Consulting Partners - http://www.qualys.com/partners/pci 
** Any merchant or service provider using 3’rd party payment applications are required to validate compliance or use an approved 
PCI DSS payment application - https://www.pcisecuritystandards.org/security_standards/vpa/ 


